Symantec: MS Making Vista Insecure

Microsoft's partners are continuing to cry foul over the decision to lock down the Windows Vista kernel with a feature called PatchGuard, claiming an announcement about sharing security APIs is simply a "red herring" to fool the press.

The contentious issue revolves around the ability of security vendors to write applications that essentially "patch" the Windows kernel to protect it from viruses and other malware. With PatchGuard, Vista attempts to do this on its own, in turn thwarting both protectors and attackers.

While partners such as Symantec, McAfee and Sunbelt Software understand the intentions of PatchGuard, they allege that Microsoft is actually making the operating system less secure by locking out third parties. These companies say that patching the kernel is of critical importance to security software, especially when new threats surface.

This is where opinions diverge. Microsoft, along with security software firms Sophos and Kaspersky don't believe that patching the operating system is a necessity for security, and say PatchGuard shouldn't get in the way of application developers. In fact, Sophos says it has no need to currently access the internals of the Windows kernel.

Symantec and McAfee, which are much larger than both Sophos and Kaspersky combined, dispute that viewpoint. They utilize kernel patching to stop viruses from shutting down security software with a feature called Tamper Protection, as well as for Behavior Blocking and host-based intrusion prevention systems (HIPS).

"The more general problem illustrated by the Tamper Protection example is as follows: Currently when a security company needs to provide security against a certain class of threat, we are able to do so even if Microsoft does not offer an API. With PatchGuard Microsoft is stepping in and changing the rules," says Rowan Trollope, Symantec’s VP of Consumer Products and Solutions.

Essentially, PatchGuard detects unauthorized patches of certain data structures or code in the kernel and in turn initiates a system shutdown. Microsoft has not specified what exactly will take place if such a patch is discovered, but Symantec claims a Windows computer will give a "blue screen of death" and turn off.

Most consumers, however, are unlikely to see any problems initially. PatchGuard will only affect 64-bit versions of Windows Vista, and x64 Editions of Windows are rarely sold in retail or to consumers. Nonetheless, Windows Vista will include both 32-bit and 64-bit versions in the box, and OEMs are likely to begin pushing 64-bit systems once the new operating system begins shipping early next year.

"When Vista 64 gets released, we will not have the APIs we need, and Microsoft expects customers to stand-by, unprotected, waiting for 'multiple upcoming Windows releases as we understand the exact requirements'," adds Trollope.

Symantec claims it has attempted to work with Microsoft for two years on the issue, but the Redmond company has refused to budge from its position. Trollope says Symantec proposed alternatives, such as leaving PatchGuard in place but offering a secure API for security vendors.

"There has been a lot of confusion based on what Microsoft has said publicly. First, to be clear, Symantec already uses all available security related APIs provided by Microsoft. The key word here is 'available'; there are no available APIs for these advanced protection technologies we offer today," explains Trollope.

For its part, Microsoft says it is trying to work with partners on the PatchGuard issue. The company also asserts that its own new security products such as Windows Live OneCare and Forefront do not have any advantage, although Symantec notes that Microsoft's offerings also don't include any advanced protection technologies.

"We’re totally committed to working with ISVs, and have been working with them for years now, to provide new documented and supported interfaces in 64-bit versions of Windows that will allow them to leverage the kernel on x64bit systems. Thus enabling a comparable level of functionality to what they have today on x32bit systems without direct access to the kernel," remarked Stephen Toulouse, a security expert who recently left Microsoft's Security Response Center for the Vista team.

But another problem, critics say, is that PatchGuard primarily hamstrings Microsoft's security partners, not the hackers. Symantec claims it has already figured out ways around PatchGuard, which means hackers have as well. But if Symantec were to release a product that bypasses the protection, Microsoft has promised an update to Vista that will cause the computer "to bluescreen."

"We of course cannot pursue a path when Microsoft tells us that they will bluescreen our customers machines. Hackers on the other hand have no such issues. Once they workaround patchguard (which they already have), they don’t really care if the system becomes unstable or bluescreens or anything else," asserts Trollope. "So in fact PatchGuard works in favor of hackers in this case."

JupiterResearch senior analyst and Microsoft pundit Joe Wilcox broke down the argument for BetaNews. "The situation is like this: Before, Microsoft security partners could take whatever path they wanted to climb the mountain and reach the summit," he said. "Now, they will have to use Microsoft security APIs, which create a path--and the only way they're allowed to go up the mountain."

"But Microsoft's APIan Way won't take them all the way to the summit. There is going to be a problem if the hackers can scale up to the summit by another route, while the security vendors are stuck below on the path," Wilcox added.

Sunbelt Software CEO Alex Eckelberry agrees with Symantec's conclusion. "Folks, this is a real issue. Microsoft has created a PR coup by “agreeing” to give APIs to security companies. It’s a red herring," he said. "The security industry needs full access to the kernel. Period."

With Windows Vista expected to be released to manufacturing before the end of the month, third party security vendors are unlikely to see any of their demands fulfilled - at least before launch. What's still unclear is how this will change Microsoft's partner landscape. Symantec was once a close bedfellow to Redmond and a major supporter of the Windows XP launch in 2001.